Cybersecurity for Healthcare

Interview with John Stephens, Managing Partner, Luminant Digital Security

Today’s topic is cybersecurity for healthcare organizations. I’m pleased to have as my guest expert today John Stephens, Managing Partner at Luminant Digital Security. John, welcome and thanks for joining me.

Hi, Lonnie. Thank you for having me. It’s a pleasure to be joining your podcast today.

Risk of Compromised Patient Data from Cyber Attacks

1. I recently read about the results of a new survey from KPMG indicating that 47 percent of healthcare providers and health plans said they had experienced instances of security-related HIPAA violations or cyber attacks that compromised patient health data, an increase of 12% over just the last two years. Yet, the same survey reported that a smaller majority of healthcare companies made investments in cybersecurity and information protection (66% vs 88% in the 2015 survey). Do you see the risks of compromised data increasing for healthcare organizations, and if you do, why do you think it’s not a higher and more urgent priority for many of them?

Lonnie, even without the data indicating that spending was down, I would expect the percentage of organizations affected to increase. The threat environment just keeps worsening, with more and more cybersecurity threats perpetrated by more and more actors. It’s getting harder and harder to protect data. In my mind, that’s the simple fact with which we have to live. That’s easy for me to say, though, as that’s what I work with every day. I can only imagine how hard it is for healthcare professionals who real focus is providing patient care to keep track of the ever-changing nature of cyber threats. And I think that’s the fundamental problem. Cyber is just one more thing.

Why Hackers Like Patient Data

2. Why is patient health data such an attractive target for hackers?

Criminals clearly understand the value of stolen medical records for perpetrating medical fraud and other forms of identity theft. Stolen medical records can be used to illicitly obtain prescriptions, medical equipment such as electric wheelchairs, and medical care worth thousands or even tens of thousands of dollars. Experian reports that the average incidence of medical fraud ends up costing the victim over $22,000. It’s not surprising therefore that, on the black market, a stolen medical record sells for 10 times the price of a stolen credit card.

Fundamentally, patient health data is the preferred target for hackers because it supports so many ways for them to monetize the data. Whereas data like credit card data can be leveraged for profit, it’s kind of a one-shot deal with the criminal only being able to leverage the credit card number until it’s reported as compromised. Contrast that with medical data. Think about the sheer volume of data contained in a medical record. Address information, vital statistics, and, of course, health information.

Crooks can steal your identity to open accounts for utilities or credit cards—think about it, all the information required by the companies is there. They can even go a step further and obtain prescriptions for drugs or costly medical equipment. And, of course, given the full range of information in a medical records, it might be possible to put together other forms of fraud, such as filing tax returns or obtaining medical care using your information for billing.

3. What are some of the more common misconceptions or ignorance of facts regarding the risks related to cyber attacks?

I think one of the biggest misconceptions that organizations have is that they aren’t a target and don’t need to be overly concerned about cybersecurity. This isn’t strictly out of complete naivety in that people deny that threats are out there, but rather that they think they’re not an attractive enough target to warrant attention. It’s a simple matter of not truly understanding how the attacks are perpetrated, so they believe they’re safe.

Smaller Medical Organizations Need Cybersecurity Too

4. Are small to medium-sized healthcare organizations as attractive a target for hackers as larger hospitals, health systems and health plans?

I think smaller organizations are probably an even more attractive target. Granted, they may not be as big a payload at the end, but they’re frequently far easier to crack as they don’t have the budget, people, and other resources dedicated to information security the bigger hospitals or health systems have. Let’s face it, it’s a matter of money. You can either work really hard to get a big score, but the dangers are high because their capabilities are greater, or you can work a little less and make up the difference with more transactions. It’s simple business. Sometimes it’s easier to make money with volume.

5. I would imagine that cost and fear of operational disruption are two of the issues that may cause healthcare organizations to avoid, or at least delay, committing to a plan of action regarding cybersecurity. Could you address both of these topics?

I think both of those items contribute, absolutely. Even in today’s day and age, not everyone has become accustomed to having to have a security budget. Cyber threats have evolved so quickly, and the threats have grown so fast and so much. So cost is definitely a big issue. But so too is the operational impact, or at least the fact that there will be big impacts. But that’s all about the planning and preparation, and that’s true for both cost and impact. If you do the planning and preparation on the front end, both the costs and impact can be controlled. If you wait until after something has happened, it’s a different story. Really, for both items, an ounce of prevention is worth a pound of cure.

Process of Assessing and Protecting Against Hacks

6. What is your recommendation in the appropriate steps in a process of assessing and protecting against these kinds of hacks?

Well, I wish I could say there is a one-size-fits-all solution, kind of that magic bullet. Something like “if you just buy this, your troubles will be over.” Unfortunately that’s just not the case. However, there is an approach from which every organization can benefit. The good news is that it’s not rocket science, and it’s actually part of the HIPAA compliance requirements. It’s simply adopting and maintaining a Risk Management program.

That starts with a Risk Assessment to identify the risks to your information, followed by devising a plan that addresses how you will address or remediate the risks identified. Since every organization is different, every Risk Assessment will be somewhat different. But they should all take an objective look at the technology, processes, people, and places involved to determine how such hacks could be perpetrated successfully. This allows an organization to understand their risks as objectively as possible and then dedicate their resources in an optimal fashion.

7. Tell us about Luminant – what you do and how you work with healthcare organizations.

Lonnie, Luminant Digital Security is a Portland-based digital security firm. We can help healthcare organizations develop, implement, maintain, or enhance their information security practices. Sometimes that means consulting to help develop and implement a new program to a practice that’s never taken it seriously before. Or maybe it’s just taking a look at what a practice does and evaluating it against the current threat environment. We’re well-versed in the requirements of HIPAA, so we can help assess the effectiveness of cybersecurity controls (this too is a HIPAA requirement). Sometimes organizations bring us in to complete the entire HIPAA Risk Assessment to provide an objective third-party opinion or validation of what they’re already doing.

And sometimes it’s simply augmenting their teams by performing technical tasks such as vulnerability scanning or penetration testing or helping to educate their staff on current threats like phishing or other social engineering methods. At Luminant our expertise is in securing information technology and making it work effectively within an organization. We have a wealth of experience with healthcare organizations and the unique demands they have. And we’re also dedicated to the SMB market because our passion is to provide Enterprise-class security to SMB organizations that don’t have an enterprise budget.

8. How can listeners contact you directly?

If anyone has questions or wants to chat, I can be reached directly at jstephens@luminantsecurity.com or at my desk at 503.905.3281. Those are both my direct contacts, and I’d love to chat with members of your audience.

Thanks very much, John. Our guest today has been John Stephens, a Managing Partner at Luminant Digital Security. Please tune in again for my next podcast on the business of healthcare. This is Lonnie Hirsch wishing you great success in your healthcare business.